“AI is here to stay. This is not a passing fad, and we have got to look at the threats that are out there.” This stark assessment from IBM Distinguished Engineer Jeff Crume underscores the central theme of the latest Security Intelligence podcast episode, where Crume joined Creative Director Claire Nunez and X-Force Incident Command Nick Bradley, hosted by Matt Kosinski, to dissect critical industry trends spanning automated red teaming, supply chain accountability, and the long-term impact of major breaches. The panel began by outlining key New Year’s resolutions they hope organizations will adopt in 2026, quickly establishing that modern cybersecurity demands a fundamental shift in business perspective.
The consensus among the experts was that the traditional view of security as merely a technical or IT concern is obsolete. Nick Bradley argued forcefully for a paradigm change, insisting that cybersecurity must now be seen as central to business continuity. “Companies need to realize that cybersecurity is not about preventing attacks,” Bradley stated, clarifying that while prevention is important, the true goal is operational resilience. “It is central to survival. Companies need to realize that cybersecurity is not about preventing attacks... it is about staying in business, keep the business running no matter what.” This means security must be woven into the core fabric of how companies operate and make decisions at every level, moving beyond simple compliance checklists.
A crucial resolution championed by both Crume and Nunez focused on eliminating the weakest link in the security chain: passwords. Citing phishing as the number one vector for costly data breaches, Crume highlighted the urgency of adopting passkeys. “If you don’t have a password, nobody can steal it from you,” Crume noted, explaining that passkeys are significantly more phishing-resistant. Nunez emphasized that organizations and individuals should start evaluating their encryption posture now, especially given the looming threat of quantum computing, which could render current encryption useless—a concept often framed as "harvest now, decrypt later." Even without quantum capabilities, the long-tail threat of stolen credentials remains potent, as evidenced by the 2022 LastPass breach, where hackers are still working years later to decrypt stolen password vaults and extract cryptocurrency.
The conversation transitioned to a significant policy shift from Microsoft: the expansion of its bug bounty program. Microsoft announced it would now consider vulnerabilities in third-party and open-source components eligible for bounties, provided they have a "direct and demonstrable impact" on Microsoft Online Services. Crume viewed this as a positive and necessary evolution.
This expansion forces accountability across the entire software supply chain. It acknowledges that security risks often reside at the interface between components, not just in proprietary code.
Nick Bradley enthusiastically supported the move, suggesting that incentives like bug bounties are vital for keeping talented individuals focused on ethical hacking. “Anything that can help keep people on the least gray/slash/white hat path is a good thing,” he said, framing the policy as a rising tide that lifts the security level of the entire ecosystem. The panelists agreed that this policy recognizes the complex, interconnected nature of modern software development, where a flaw in a single open-source library can compromise massive systems, echoing historical vulnerabilities like the notorious Log4j incident.
Finally, the discussion circled back to AI, touching upon both the threats posed by large language models (LLMs) and their potential as defensive tools. Crume stressed that organizations cannot afford to ignore the security implications of AI adoption, pointing to resources like the OWASP Top 10 for LLMs as essential starting points for governance. However, he cautioned against viewing AI solely as a tool for cost reduction or staff replacement in cybersecurity teams. “Don’t look at it as a way to replace people. You cannot cut your way to the top on this. You’re going to cut your way to the bottom,” Crume warned. Instead, AI should be leveraged as a force multiplier, augmenting the capabilities of existing human talent to manage the exponentially growing threat landscape. The industry must prioritize securing AI systems while simultaneously using them as a lever to enhance cyber defenses and ensure long-term operational integrity.
